*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!
The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http://updates.[thenameofthewebsite.com].secure.ssl-datacontrol.com/ssl/id=712571016-[email address of registered contact]-patch257675.aspx
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
So for example if you have a Web site called "theweaselstore.com" and your email address is "email@example.com" you may receive an email claiming to be from: firstname.lastname@example.org, which tells you to click a link that looks like
Needless to say, the "patch" you download from this address is a computer virus.
This is one of the most sophisticated social engineering attempts I've seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner's Web site embedded within it.
My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.
Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site's customers.
Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using "https://" and will have the browser padlock indicating that the site is secure, which may help it to fool more people.
I've mentioned in this post how a Web address can be designed to fool people. It does not matter what's in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like
you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is
a site called signin.ru in Russia.
Similarly, in the URLs in these hacker emails, the key part of the URL is
The computer virus is being distributed from a site called "ssl-datacontrol.com".
ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.
Trouble-free.net is an ISP I'm very familiar with. As near as I can tell, the "trouble" they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.
The whois for ssl-datacontrol.com is, unsurprisingly, Russian:
Whois Server Version 2.0
Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010
>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<<
Registrant ID: HEIGAAS-RU
Registrant Name: Elena V Zhuravlyova
Registrant Organization: Elena V Zhuravlyova
Registrant Street1: Orekhovyi boulevard
Registrant Street1: d.31 kv.72
Registrant City: Moscow
Registrant State: Moscow
Registrant Postal Code: 115573
Registrant Country: RU
Administrative, Technical Contact
Contact ID: HEIGAAS-RU
Contact Name: Elena V Zhuravlyova
Contact Organization: Elena V Zhuravlyova
Contact Street1: Orekhovyi boulevard
Contact Street1: d.31 kv.72
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 115573
Contact Country: RU
Contact Phone: +7 499 2678638
Contact E-mail: email@example.com
Registrar: ANO Regional Network Information Center dba RU-CENTER
So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.
The same rules apply to this as to all emails:
- DO NOT believe the From: address of an email. Ever.
- DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.
- Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.